RESUMO
Cyber incidents are among the most critical business risks for organisations and can lead to large financial losses. However, previous research on loss modelling is based on unassured data sources because the representativeness and completeness of op-risk databases cannot be assured. Moreover, there is a lack of modelling approaches that focus on the tail behaviour and adequately account for extreme losses. In this paper, we introduce a novel 'tempered' generalised extreme value (GEV) approach. Based on a stratified random sample of 5000 interviewed German organisations, we model different loss distributions and compare them to our empirical data using graphical analysis and goodness-of-fit tests. We differentiate various subsamples (industry, size, attack type, loss type) and find our modified GEV outperforms other distributions, such as the lognormal and Weibull distributions. Finally, we calculate losses for the German economy, present application examples, derive implications as well as discuss the comparison of loss estimates in the literature.
RESUMO
The Internet has simplified daily life activities. However, besides its comfortability, the Internet also presents the risk of victimization by several kinds of crimes. The present article addresses the question of which factors influence cyber-dependent crime and how they vary between three kinds of cyber-dependent offences: malware infection, ransomware infection, and misuse of personal data. According to the Routine Activity Approach, it is assumed that crime is determined by a motivated offender, the behavior of the Internet user, and the existence of prevention factors. Our analyses were based on a random sample of 26,665 Internet users in two federal states in Germany, aged 16 years and older; 16.6 percent of the respondents had experienced at least one form of cyber-dependent victimization during the year 2014. The results indicate that individual and household factors, as well as online and prevention behavior, influence the risk of cyber-dependent victimization. Furthermore, the effects differ between the three types of offences. In conclusion, the risk of being victimized by cyber-dependent crime is not the same for anyone, but depends on multivariate factors according to the idea of Routine Activity Approach. However, in view of the fact that crime-related factors also matter, studying different cybercrime offences separately seems to be an appropriate research approach.
